Guides:Mail Writer GS (EN)
WARNING: This portion of the guide is outdated, the contents of this guide have been merged with the main setup articles. It is only kept for legacy purposes. You can find all up-to-date guides on the TimoVM's Gen 2 ACE setups article.
|
This is a guide on how to execute and/or exploit a glitch. For a more technical overview of the glitch involved, see Mail writer. |
The Mail writer is an arbitrary code execution program that allows the user to quickly and accurately write and execute arbitrary code payloads of up to a maximum size of 428 bytes. Payloads are written from wOtPartyCount onward, where enemy trainer's parties are usually buffered.
This guide is applicable to the English versions of Gold & Silver only. It is part of the TimoVM's Gen 2 ACE setups set of guides.
Using the Mail writer requires an ACE setup that redirects execution to the first or second character of box #1's name. For this guide, it is assumed that you've previously set up the modern Coin Case ACE instead.
Older Wrong Pocket TM17 setups, using a Quagsire holding TM02 and having Return in the first move slot, are compatible with this guide. Older setups using the Coin Case are generally not compatible.
If you encounter any issues when going through this guide or would like to provide feedback, please contact TimoVM on the Glitch City Research Institute Discord.
How the mail writer works
Upon execution, the Mail writer will open the mail character entry screen where the player can write up to 32 different characters. After the player has confirmed the mail, the following actions take place:
- The Mail writer will take pairs of characters and convert them into a single combined value. These values are then sequentially written, converting the 32 letter mail into a 16 byte long line of code.
- Next, the Mail writer will display a checksum calculated from the combined value of all written bytes for the player to verify. Then the program enters a waiting state where they can either choose to write another mail, go back and correct previously written values or stop the mail writer and execute the newly written payload.
- If the player has chosen to write a new mail, the Mail writer will open a new mail entry screen. The new mail is then also converted into a block of 16 bytes and placed right after the code written by the previous mail(s), allowing the player to write arbitrarily long payloads.
In short, the mail writer allows you to effortlessly write and execute small ACE codes with a wide variety of possible effects.
Installation
The mail writer itself will be installed in the TM/HM pocket through the following two step process:
- Execute a box code using ACE that sets the quantities of all 50 TMs to x255, adjusts party pokémon #6's stat experience to redirect execution to the TM/HM pocket and adds TM25 to the first slot of the main item pocket.
- Sell TMs in specific quantities so that the amount of TMs in the TM/HM pocket spell out a small mail writer program, then use Wrong Pocket TM25 ACE with the newly adjusted pokémon to use the mail writer.
Since the game only ever expects TM25 to be found inside the TM/HM pocket, using TM25 from the main item pocket will cause the game to execute code from $DA6A (middle of party pokémon #2's stat experience data). As long as a suitable pokémon is placed in party slot #2, Wrong Pocket TM25 can be used at any time outside of battle to trigger ACE.
Step 1: setting all TM quantities to x255
- Rename box names to form the following. Please mind the differences between uppercase X (
), lowercase x (
) and multiplication symbol (
).
|
- Catch any pokémon and nickname it "MAILWRITER". Put it in the fifth party slot. We'll alter this pokémon's stat experience to redirect TM25 execution to the TM/HM pocket.
- Ensure that you have everything set up for Coin Case ACE:
- "BOXCODES" nicknamed pokémon holding mail in party slot #3
- Read the correct mail beforehand
- Perform all steps necessary to execute Coin Case ACE
- Use the Coin Case once. If the code was executed successfully, switch to the TM/HM pocket. It should now contain every TM at a quantity of x255. The code will also overwrite the first item in the main item pocket to be a TM25.
Step 2: Selling TMs to form a program in the TM/HM pocket
Now that we have obtained x255 of every TM, we'll be selling specific amounts of these in order to form a program. This program differs slightly depending on the specific language you're using.
The image belows displays the intended final quantities of all TMs, while the table in the next section displays how many TMs of each kind you need to end up with, along with the amount of money you gain by selling them.
|
TM Quantities to sell
| TM | Final Quantity | Sell value |
|---|---|---|
| TM01 DYNAMICPUNCH | x17 | 357000 |
| TM02 HEADBUTT | x85 | 170000 |
| TM03 CURSE | x221 | 51000 |
| TM04 ROLLOUT | x213 | 42000 |
| TM05 ROAR | x213 | 21000 |
| TM06 TOXIC | x213 | 63000 |
| TM07 ZAP CANNON | x33 | 222000 |
| TM08 ROCK SMASH | x66 | 94500 |
| TM09 PSYCH UP | x98 | 78500 |
| TM10 HIDDEN POWER | x207 | 72000 |
| TM11 SUNNY DAY | x225 | 30000 |
| TM12 SWEET SCENT | x209 | 23000 |
| TM13 SNORE | x42 | 106500 |
| TM14 BLIZZARD | x254 | 1500 |
| TM15 HYPER BEAM | x80 | 262500 |
| TM16 ICY WIND | x56 | 298500 |
| TM17 PROTECT | x251 | 6000 |
| TM18 RAIN DANCE | x40 | 215000 |
| TM19 GIGA DRAIN | x10 | 367500 |
| TM20 ENDURE | x135 | 180000 |
| TM21 FRUSTRATION | x134 | 60500 |
| TM22 SOLARBEAM | x18 | 355500 |
| TM23 IRON TAIL | x19 | 354000 |
| TM24 DRAGONBREATH | x35 | 330000 |
| TM25 THUNDER | x129 | 126000 |
| TM26 EARTHQUAKE | x79 | 264000 |
| TM27 RETURN | x18 | 118500 |
| TM28 DIG | x24 | 231000 |
| TM29 PSYCHIC | x239 | 16000 |
| TM30 SHADOW BALL | x33 | 333000 |
| TM31 MUD-SLAP | x1 | 381000 |
| TM32 DOUBLE TEAM | x196 | 59000 |
| TM33 ICE PUNCH | x77 | 267000 |
| TM34 SWAGGER | x205 | 25000 |
| TM35 SLEEP TALK | x239 | 8000 |
| TM36 SLUDGE BOMB | x58 | 98000 |
| TM37 SANDSTORM | x27 | 228000 |
| TM38 FIRE BLAST | x205 | 50000 |
| TM39 SWIFT | x144 | 111000 |
| TM40 DEFENSE CURL | x55 | 100000 |
| TM41 THUNDERPUNCH | x189 | 99000 |
| TM42 DREAM EATER | x40 | 322500 |
| TM43 DETECT | x217 | 19000 |
| TM44 REST | x56 | 298500 |
| TM45 ATTRACT | x240 | 22500 |
| TM46 THIEF | x254 | 1500 |
| TM47 STEEL WING | x08 | 370500 |
| TM48 FIRE PUNCH | x200 | 82500 |
| TM49 FURY CUTTER | x24 | 346500 |
| TM50 NIGHTMARE | x242 | 13000 |
Running the newly written program
- It is recommended to save before continuing.
- Put the pokémon that was nicknamed "MAILWRITER" into the 2nd party slot.
- Use TM25. If everything went correctly, this will start the mail writer and open a screen asking you to input text for a mail.
- From now on, you can repeat this process at any time to start the mail writer.
If the game crashes, first recheck if all TM quantities are correct. If all quantities are correct, you may need to redo the setup for the "MAILWRITER" pokémon. This can be done using the box codes included a bit further below.
A note on the nicknamed pokémon: when running the box name code, we altered "MAILWRITER"'s stat experience data to contain a redirect to the TM/HM pocket. You can safely deposit and withdraw it from the PC. Please note that this pokémon must never gain experience after this point, otherwise you'll need to reapply the setup.
Using the mail writer
From now on, simply go through the necessary steps to use TM25 to start up the RAM writer.
The mail writer will open a screen that asks you to write the contents of a mail. This is where you'll need to enter mail codes. Once done, use the "END" option to finish the mail.
This will cause the mail writer to convert the newly written code into assembly. It will also print a checksum (sum of all written values) on the screen just to the right of the lower row. This can be used to verify if a code was entered correctly.
Due to a lack of available memory in the TM/HM pocket, it is not possible to quit the RAM writer without executing the newly written code. If you ever accidentally activate the mail writer and would like to quit, simply write a mail containing "Rh", then confirm and exit the RAM writer.
Assembly can easily be converted to mail codes using TimoVM's MailConverter. Simply paste the assembly of the code you wish to enter here, press "run" and the converter will automatically generate mail codes requiring the least amount of button presses to write.
Controls
Between entering mail codes, the mail writer will ask for user input.
- Press SELECT to open a new mail and continue writing data.
- Press START to immediately jump to and start executing the newly written program. Only use this when you've finished every mail.
- Press any other button to go back one byte at a time to correct errors. If the printed checksum doesn't match the expected checksum, press DOWN 16 times to retry the last mail. This will also overwrite the printed checksum with the value at the currently selected address, giving you a method to check how far back you're going.
 |
|
| Enter your mail code, then press "END". | It prints the checksum and waits for input. |
What to do with the Mail writer
The Mail writer allows you to easily write and execute arbitrary payloads. Aside from writing your own codes, we recommend the following:
- Mail codes: this page contains a collection of assembly for mail codes that can be used for a variety of common purposes such as fixing the side effects of the ACE setup, editing pokémon and items, etc..
- RAM writer: (recommended for more experienced users) this page contains the assembly for a large one-size-fits all program that allows you to edit any value in RAM with a user-friendly GUI. It will also fix the side effects of the ACE setup when you first run it.
Addendum: repairing the "MAILWRITER" pokémon
In case something happens with the "MAILWRITER" nicknamed pokémon that causes it to no longer function, you can repair the pokémon without having to reset TM quantities using the following procedure:
- Arrange the party as follows:
- Any
- Any
- "BOXCODES" pokémon holding mail
- Any
- "MAILWRITER" pokémon
- Any
- Enter the following language-specific box name. Please mind the differences between uppercase X (), lowercase x () and multiplication symbol ().
|
- Read the mail held by the "BOXCODES" pokémon
- Go to any pokémon center and follow the correct steps until you reach the correct location
- Use the Coin Case to execute the code. If the game crashes, doublecheck the box name code and ensure you've performed every step of the process correctly
- If the code executes succesfully without crashing the game, the "MAILWRITER" nicknamed pokémon has now been repaired.
Appendix: in-depth explanation of the setup
Effect of the setup box name code
Converting the characters from box names to assembly results in the following code. Please note that the box name code overwrites part of itself, the translated assembly assumes the code was already used once.
The code overwrites part of itself to call the byteFill function. This will fill the area between $D57E and $D5AF with $FF values, setting all 50 TM quantities to 255.
Separately, this code overwrites the latter half of party pokémon #5's stat experience data, allowing it to function as a TM25 bootstrap that redirects execution to the Mail Writer.
Lastly, the value of the first item ID in the main item pocket is overwritten so that it becomes a TM25.
Box 1: $D8BF 80 add a, b AF xor a ; a = $00 EA F9 F8 ld ($F8F9), a D6 FF sub $FF ; a = $01 FB ei 50 ld d, b Box 2: $D8C8 EA F7 F8 ld ($F8F7), a D6 D0 sub $D0 ; a = $31 EA FC F8 ld ($F8FC), a 50 ld d; b Box 3: $D8D1 E6 A1 and $A1 ; a = $21 EA F4 F8 ld ($F8F4), a D6 EF sub $EF ; a = $32 FB ei 50 ld d, b Box 4: D8DA EA F8 F8 ld ($F8F8), a D6 E6 sub $E6 ; a = $4C EA FB F8 ld ($F8FB), a 50 ld d, b Box 5: $D8E3 E6 84 and $84 ; a = $04 EA FB FA ld ($FAFB), a D6 86 sub $86 ; a = $7E FB ei 50 ld d, b Box 6: $D8EC EA F5 F8 ld ($F8F5), a EA FD FA ld ($FAFD), a F6 FF or $FF ; a = $FF, reset carry flag 21 Box 7: $D8F5 7E F5 ld hl, wTMsHMs 01 32 00 ld bc, $0032 D4 4C 31 call nc, byteFill 50 ld d, b Box 8: $D907 E6 D2 and $D2 ; a = $D2 EA FC FA ld ($FAFC), a D6 FA sub $FA ; a = $D8, TM25's item ID FB ei 50 ld d, b Box 9: $D910 EA B8 F5 ld (wItems), a ; Main item pocket, first item ID D6 E3 sub $E3 ; a = $F5 EA FE FA ld ($FAFE), a 50 ld d, b Box 10: $D919 D6 B7 sub $B7 ; a = 3E, reset carry flag EA FA FA ld ($FAFA), a D0 ret nc 50 ld d, b Party pokémon #5's stat experience, starting from $DAFA 3E 04 ld a, $04 D2 7E F5 jp nc, wTMsHMS ; Carry and zero flag are both reset when using TM25
Effect of the TM code
Converting the TM quantities to assembly results in the following code. Please note that this code requires a value of $04 in register a in order to properly work.
11 55 DD ld de, $DD55 D5 push de D5 push de ; .nextMail D5 push de 21 42 62 ld hl, _ComposeMailMessage CF rst08h, FarCall a:hl E1 pop hl D1 pop de 2A ldi a, (hl) ; .continue FE 50 cp $50 38 FB jr c, .continue 28 0A jr z, .terminator 87 add a, a 86 add a, (hl) 12 ld (de), a 13 inc de 23 inc hl 81 add a, c 4F ld c, a 12 ld (de), a 18 EF jr .continue 21 01 C4 ld hl, $C401 ; .screenLoop 4D ld c, l CD EF 3A call PrintBCDNumber.loop - 1 1B dec de ; .goBack CD 90 37 call JoyTextDelay_ForcehJoyDown BD cp a, l ; l = $04 28 D9 jr z, .nextMail 38 F0 jr c, .displayLoop FE 08 cp $08 C8 ret z 18 F2 jr .goBack
Effect of the reset box name code
Converting the characters from box names to assembly results in the following code. This code overwrites the latter half of party pokémon #3's stat experience data, allowing it to function as a TM25 bootstrap that redirects execution to the Mail Writer.
Box 1: $D8BF 80 add a, b AF xor a ; a = $00 D6 FC sub $FC ; a = $04 EA 9B FA ld ($FA9B), a FB ei 50 ld d, b Box 2: $D8C8 D6 86 sub $86 ; a = $7E EA 9D FA ld ($FA9B), a D6 89 sub $89 ; a = $F5 FB ei 50 ld d; b Box 3: $D8D1 EA 9E FA ld ($FA9E), a D6 B7 sub $D7 ; a = $3E EA 9A FA ld ($FA9A), a 50 ld d, b Box 4: D8DA 87 add a, a D6 B9 sub $B9 ; a = $C3 EA 9C FA ld ($FA9C), a A7 and a ; Reset carry flag D0 ret nc 50 ld d, b Party pokémon #3's stat experience, starting from $DA9A 3E 04 ld a, $04 C3 7E F5 jp wTMsHMs ; Carry and zero flag are both reset when using TM25
Plain text transcripts of codes
| Language | English |
|---|---|
| Set all TMs to x255
Set up TM 25 bootstrap |
Box 1: A p é 3 2 'v 9 5 Box 2: é 1 2 'v 'd é 6 2 Box 3: ? b é , 2 'v ♂ 5 Box 4: é 2 2 'v ? é 5 2 Box 5: ? E é 5 4 'v G 5 Box 6: é ♀ 2 é 7 4 0 9 Box 7: ♀ ♀ ♀ ♀ ♀ 's ♀ ♀ Box 8: ? 'm é 6 4 'v 4 5 Box 9: é y ♀ 'v - é 8 4 Box 10: 'v x é 4 4 'd |
| Repair TM25 bootstrap |
Box 1: A p 'v 6 é ) 4 5 Box 2: 'v G é ; 4 'v J 5 Box 3: é [ 4 'v x é ( 4 Box 4: H 'v z é : 4 h 'd |